Feds Charge Wall Street Traders With Code Theft

Three men accused of stealing Flow Traders' proprietary high-frequency trading information and algorithms.

Three men have been charged by Manhattan district attorney Cyrus Vance Jr. with stealing proprietary information from Amsterdam-based trading house Flow Traders.

All three, who are in their 20s, were arrested earlier this month -- based on information provided by Flow Traders -- and arraigned in New York state court, The Wall Street Journalfirst reported. Since then, the district attorney's office, working with the Secret Service, has been investigating the related charges and obtaining search warrants, with the cooperation of Flow Traders.

A related complaint recently filed in federal court accused Glen Cressman, a trader at the firm's New York office, of emailing copies of proprietary information such as trading strategies and algorithms -- although no source code -- to himself in December 2012. The complaint charged Cressman with two counts each of unlawfully duplicating computer-related material, as well as unauthorized use of secret scientific material.

Jason Vuu, 26, who worked at Flow Traders before resigning in March, was charged with 20 counts total of the two same offenses. Vuu reportedly emailed material -- including source code -- to himself between August 2011 and August 2012, sometimes altering the names of attached files in an apparent attempt to avoid detection.

The third person to be charged, Simon Lu, is a doctoral candidate in mechanical engineering at Carnegie Mellon University, and not a Flow Traders employee, and faces three counts each on the same two offenses.

Authorities said that Lu and Vuu became friends while studying at the Massachusetts Institute of Technology, and planned to set up their own high-frequency trading firm. According to court documents, Lu told Vuu in emails and chat sessions that obtaining Flow Traders' source code could prove valuable for setting up their business. Vuu then obtained the information and shared it with Lu via Dropbox.

Cressman hasn't been accused of being involved in the plan to set up a high-speed trading firm, and his attorney, Charles Ross, told the Journal that his client was innocent of the charges filed against him. "He was a great employee for Flow Traders. I am confident that when everything is put on the table, the case against him will completely unravel," he said.

Vuu's attorney, Jeremy Saland, admitted that his client had emailed code to himself without authorization, but said that Flow Traders had suffered no harm. "I'm confident that when the DA's office has completed their investigation they will find Flow Traders did not suffer any economic loss," Saland told Bloomberg. "Their algorithms and code weren't taken or used in any malicious way that damaged or compromised their financial security."

Lu's attorney, Paul Shechtman of Zuckerman Spaeder, told the Journal that he believes "the evidence will show that Simon never used source code from Flow Traders. We've asked the district attorney's office to keep an open mind as this moves forward."

The three men are due back in court on November 18. Even if convicted of all the charges against them, however, they face -- at most -- four years in prison. According to legal experts interviewed by the Journal, if convicted it's unlikely they'd serve any time at all.

High-frequency trading involves exploiting small stock-price fluctuations, and firms may execute an enormous number of such trades in just a fraction of a second. The algorithms underpinning those systems are closely guarded secrets, and can earn a firm hundreds of millions of dollars per year.

But the theft of related, proprietary source code and algorithms from financial firms isn't rare, according to a Wall Street & Technology report, which last year counted at least six related U.S. prosecutions since November 2010. Those cases involved employees at such banks as Goldman Sachs, Societe Generale and the Federal Reserve Bank of New York. In many instances, the accused appeared to have been motivated by the lure of higher salaries at other firms, as well as a sense of ownership over algorithms they'd helped to develop.

Expect the pace of such prosecutions to increase, as Manhattan prosecutors are reportedly readying more cases against people who've allegedly stolen code from Wall Street firms. "Employees who exploit their access to sensitive information should expect to face criminal prosecution in New York State in appropriate cases," Vance said in a statement last year.

But are stolen algorithms and valuation logic, which may involve thousands of lines of code, useful for others? Flow Traders' outside counsel, attorney Joseph DeMarco, told the Journal that the firm sees the code as "valuable intellectual property used by the company in its trading business." Marco is a former federal prosecutor who launched a computer hacking and intellectual property program working at the Manhattan U.S. Attorney's office.

But whether stolen high-frequency trading source code can be put to use in another IT environment remains a long-running debate in the financial sector. Some high-frequency trading experts say the code is intrinsically linked to the environment in which it's being run, requires teams of programmers to maintain, and thus is of little use to another organization. Others, however, such as UBS, Goldman Sachs and now Flow Traders, have aggressively pursued suspected code stealers.

I say prove it. The last case at Goldman was a farce and actually Goldman might want to look up old Sergey as I read he has some great engineering skills too:) If they found reworked code as they say, run it and see what it does. Also the traders unless they understand programming would have to be coached to determine what to share in Drop Box, a lot left out here and look at the reference to the Goldman/Sergey story from the FBI on "subversion"...if you are in tech you will laugh your fanny off at that one as the agent admits he had no clue what it was:) I wrote up my commentary on all of this...are we going to see another circus when it comes to proving theft here as a jury of peers in complex cases like this might be impossible to find and you have to watch the "experts" called in too as they can fabricate to win a case if no other experts dispute it:)

I'm oversimplifying the issue, but it's sort of ironic that prosecutions get stepped up when financial industry guys try to steal from one another. When the financial industry wrecks the economy for everyone else, though, not so much.

Published: 2015-03-31The build_index_from_tree function in index.py in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a commit with a directory path starting with .git/, which is not properly handled when checking out a working tree.